Publications and other reference materials referred to herein, including reference cited therein, are incorporated herein by reference in their entirety and are numerically referenced in the following text and respectively grouped in the appended Bibliography which immediately precedes the claims.
Along with the significant growth in the popularity of smartphones and in the number of available mobile applications, the number of malware applications which harm users or compromise their private data is significantly increased. Furthermore, the significant growth of social networking and always-connected applications has caused a dramatically increasing influence on traffic and signaling loads on the mobile networks, potentially leading to network congestion incidents. Network overloads can be caused by either intended attacks or by benign, but unintentionally faultily designed, and thus “network unfriendly” applications. Both the malware activities and the “network unfriendly” applications regularly affect the network behavior patterns and can be detected by monitoring an application's network behavior. Thus, monitoring and analysis of network-active applications' traffic patterns is essential for developing effective solutions for the prevention of network overloads.
Traditionally Intrusion Detection Systems (IDS) are classified according to the protected system type as being either host-based (HIDS) or network-based (NIDS) [1]. A network-based IDS is located on a central or distributed dedicated server and monitors any number of hosts. Its performance is based on analysis of network related events, such as traffic volume, IP addresses, service ports, protocol usage, etc'. Traffic monitoring is usually accomplished at concentrating network units, such as switches, routers, and gateways. On the other hand, a host-based IDS resides on and monitors a single host machine. Its performance is based mainly on an analysis of events related to OS information, such as file system, process identifiers, system calls, etc' as disclosed in [8].
Many malware applications use network communication for their needs, such as sending a malicious payload or a command to a compromised device, or getting user's data from the device. Such types of behavior influence the regular network traffic patterns of the application and can be identified by learning the application's “normal” patterns and further monitoring network events.
Recently, with the dramatic increase in the number of malware applications targeting smartphones, various methods for intrusion detection on mobile devices have been proposed. Most of the IDSs for mobile devices have focused on host-based intrusion detection systems applying either anomaly or rule-based methods on the set of features that indicate the state of the device [17]. However, in most cases, the data interpretation processes are performed on remote servers motivated by limited computational resources of the mobile phone. Only a few of the proposed systems perform the learning or data analysis directly on the device [6, 10, 19] and even less have applied statistical or machine-learning techniques [10, 19], even though such techniques are very popular and have been successfully used in traditional anomaly detection systems [8, 19]. Most of the systems either send the observed data to the server for analysis [2, 4, 12, 14, 16, 22] or perform the learning process offline on the server and plant the learned models back to the devices for the detection process [15, 17, 18].
In a few earlier proposed systems the learning is performed on the mobile devices. For example, the system proposed by Shamili et al. [19] utilizes a distributed Support Vector Machine algorithm for malware detection on a network of mobile devices. The phone calls, SMSs, and data communication related features are used for detection. During the training phase support vectors (SV) are learned locally on each device and then sent to the server where SVs from all the client devices are aggregated. Lastly, the server distributes the whole set of SVs to all the clients and each of the clients updates his own SVs. Thus, although a part of the learning is performed on the device, the server and communication infrastructure, along with additional bandwidth load, are required.
Li et al. [10] presented an approach for behavior-based multi-level profiling IDS considering telephony calls, device usage, and Bluetooth scans. They proposed a host-based system which collects and monitors user behavior features on a mobile device. A Radial Basis Network technique was used for learning profiles and detecting intrusions. However, the system capabilities were, also, tested offline only using the MIT Reality dataset [5] and its feasibility on mobile devices was not tested or verified.
It is therefore a purpose of the present invention to provide a system for protecting mobile device users from harmful applications.
It is a further purpose of the present invention to provide a system for protecting cellular network infrastructure from targeted or benign overloads.
Further purposes and advantages of this invention will appear as the description proceeds.